On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > 2) In delegation.ldif: ipapermission object class is missing for
> > removeentitlements and modifyentitlements (it has been added for
> > addentitlements though)
> This was on purpose, I should have been clearer. Patch 664 makes major
> changes to these and I'm trying to make the merge easier. I'll fix them
> up when 664 gets pushed.
I thought so. I was confused by addentitlements permission which
objectclass was updated. We just have to make sure, that the
entitlements patch includes this new objectClass.
> > QUESTION:
> > In this patch you add READONLY flag to Replica permissions. However it
> > is not actually used and stays as just an informative flag. It won't
> > prevent user from modifying/removing READONLY permissions.
> > I guess enhancing permission-mod and permission-del of READONLY check
> > will be a subject of another ticket?
> Ok, interesting point. I considered the aci itself to be read-only. The
> only thing a user could do is rename the permission, right? I think that
> would maintain consistency so it shouldn't be a problem. It would
> probably be easy to really make these read-only but that would have a UI
> impact as well, perhaps a problematic one. I suppose if they could
> handle any read-only exceptions we'd raise that would be adequate.
Yes, user could rename or delete permission. In both cases it won't have
any effect to the ACI as ACI plugin does not see it. But I think it
would be nice to prevent modifications to these permissions when we have
this new and shiny READONLY flag. Read-only exception may be a way to
Freeipa-devel mailing list